Tags
Read time
6 min read
Last updated
December 20, 2024
🆕  2025 U.S. State Privacy Laws: what you need to know
You know the drill: another year, another batch of U.S. state privacy laws to add to your compliance checklist.Â
2025 will be another banner year for privacy regulation in the U.S., with eight new U.S. state laws going into effect. The stakes for compliance are growing higher than ever. Whether it’s refining your data privacy practices or ensuring your tech stack is ready to handle new requirements, there’s a lot to unpack.
Let’s dive into the unique nuances of these laws, and what you need to do to stay ahead. Keep reading for:
If you’ve been tracking privacy legislation in the U.S., you know the federal government’s efforts to establish a comprehensive framework have fallen flat.
Two high-profile attempts, the American Data Privacy and Protection Act (ADPPA) and the American Privacy Rights Act (APRA), have made headlines but failed to cross the finish line. Key sticking points? Disputes over preemption (whether federal law should override state laws) and private right of action (whether individuals can sue for violations).
With no federal law in sight, states have stepped up, creating a patchwork of privacy regulations that expand consumer protections—but also introduce significant complexity for businesses.
A new, Republican administration takes the White House and Congress in January: could we finally see meaningful movement toward federal legislation? It’s possible, but unlikely.
For an expert take on this, check out our recent Privacy Huddle episode featuring my colleague Jonathan Joseph with Alysa Hutnik, Partner at Kelley Drye. They explore how the new White House administration might tackle privacy policy:
In absence of a federal law, U.S. states are increasingly adopting their own privacy regulations to address the growing demand for data protection. These laws build on the foundations laid by pioneering legislation like the California Consumer Privacy Act (CCPA) and Virginia's Consumer Data Protection Act (VCDPA).
In 2025, several state privacy laws will take effect, including Iowa, Delaware, Nebraska, New Hampshire, New Jersey, Tennessee, Minnesota, and Maryland. These laws enhance consumer data rights, including access, correction, deletion, and transparency, with varying compliance requirements and penalties.
Dates vary across the 8 new laws. Here’s when each new law goes into effect:Â
Each state’s legislation introduces specific requirements, but common themes include:
Failing to comply with these regulations can result in significant financial penalties, reputational harm, and legal challenges.
No two laws are created equal. Each introduces distinct requirements and priorities, from expanded consumer rights to unique compliance challenges for businesses. Here’s what you need to know about the nuances of these laws.
‍
‍
The ICDPA focuses on core consumer rights like access, correction, and deletion. Penalties for non-compliance can reach $7,500 per violation. It’s worth noting that Iowa’s law doesn’t mandate data correction rights for residents.Â
When it comes to unique data subject rights like this, it’s really up to the business to decide if a state-specific or national approach makes sense. With tools like Ketch DSR automation, you can create location-aware DSR portal experiences, showing the correct rights according to states.
However, many businesses choose to apply a single standard to all states for a unified experience for all consumers. It's important to consult your outside counsel to choose the best approach for your brand.Â
Delaware stands out by including nonprofits under its umbrella, expanding the scope of organizations affected. It also raises the bar on child protections: businesses must obtain opt-in consent for targeted advertising aimed at individuals under 18.Â
This differs from the federal Children's Online Privacy Protection Rule (COPPA) standard, which applies to children under 13, and mirrors the trend toward stricter age-appropriate design standards. If your brand attracts younger audiences, be ready for heightened compliance obligations.
Nebraska is unique in its lack of exemptions for small businesses. There is no minimum threshold for revenue or consumers served, meaning even small businesses must comply with the NDPA. For startups, this is a reminder that it’s often easier to build a strong privacy foundation early than to retrofit compliance later. Nebraska also emphasizes data security, requiring robust protection measures to minimize the risk of breaches.
New Hampshire joins the growing list of state regulators requiring that businesses comply with the Global Privacy Control (GPC) signal. The GPC requires businesses to honor its browser-based privacy signal that indicates consumer preferences. While GPC is already mandated in several states, the addition of New Hampshire reinforces the need for companies to ensure these tools are enabled in their systems. If your GPC mechanisms aren’t fully operational yet, now is the time to address that gap.
‍
‍
New Jersey offers a couple of unique twists. First, it has a shorter processing period for opt-out requests—15 days instead of the more typical 30 or 45. Second, it’s a rulemaking state, joining California and Colorado in adding layers of regulatory details over time. Companies should prepare for the possibility of evolving requirements.Â
Tennessee introduces an opt-in requirement for sensitive data, including biometrics and health information. This isn’t common in U.S. laws and mirrors the stricter consent standards seen in Europe’s GDPR. If your business processes sensitive data, you’ll need to secure explicit consumer consent–raising the stakes for companies that rely on this type of information.
Minnesota takes inspiration from Oregon by granting consumers the right to request a list of third parties their data is shared with. This can present logistical challenges, especially for businesses with complex advertising or data-sharing ecosystems. Remember, this list doesn’t include service providers but focuses on entities receiving data for “sales” or “sharing” purposes.
If your current data-sharing processes aren’t well-documented, now’s the time to start mapping them.
Maryland is turning heads with its affirmative data minimization requirements and outright bans on certain data sales, particularly in sensitive categories. These rules align with trends seen in laws like Washington’s My Health My Data Act, which forced some businesses to stop digital advertising entirely in that state.
Maryland’s broad interpretation of sensitive data categories will likely drive cautious implementation as businesses navigate what can and can’t be done under this law.
Here’s a side-by-side comparison of the key aspects of the upcoming privacy legislation to help you identify overlaps and differences:
‍
‍
With new state privacy laws coming into effect in 2025, privacy leaders must adapt quickly:
Navigating the evolving privacy landscape can be complex. At Ketch, we offer data privacy solutions that help businesses comply with regulations across jurisdictions. Our tools streamline consent management, data access requests, and compliance workflows, so you can focus on growing your business.
Request a demo to see how Ketch can support your compliance efforts.
“The privacy of our customers' data is very important to us, and we want to make sure we are acting in accordance with their wishes as well as complying with all state laws. Ketch helps us do this without a lot of overhead so we can focus our internal resources on growing our technology capabilities and supporting our aggressive omni-channel growth plans.”
- Mike Early, Chief Technology Officer, Francesca's
Optimizing your compliance strategy is not just a legal requirement–it’s an opportunity to build trust with your customers. Start preparing today to stay ahead of the curve.
Ketch makes consent banner set-up a breeze with drag-and-drop tools that match your brand perfectly. Let us show you.
